How The Shared Assessments Standardized Information Gathering Questionnaire (SIG) Can Help with DORA Compliance

Shared Assessments’ Standardized Information Gathering Questionnaire (SIG) can be a valuable tool in achieving DORA (Digital Operational Resilience Act) compliance by providing a structured framework for assessing third-party risk. Shared Assessments SIG 2025, to be released later this year, will offer both robust support of and mapping to DORA standards.

DORA is an EU regulation that entered into force in January 2023 that will apply as of January 2025. It aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. As stated by European Insurance and Occupational Pensions Authority, DORA is meant to make sure “that the financial sector in Europe can stay resilient in the event of a severe operational disruption.”

DORA weaves together rules relating to operational resilience for the financial sector applying to numerous types of financial entities and ICT (Information Technology and Cybersecurity) third-party service providers.

The financial sector is increasingly dependent on technology to deliver its services – and may become even more so with the emerging role of Artificial Intelligence – which makes financial entities vulnerable to cyber-incidents. (Look no further than the 10 Biggest Breaches in Finance to understand that cybercriminals choose their targets based on maximum impact and maximum profit – the financial sector is disproportionately impacted.)

When not managed properly, ICT risks can lead to disruptions of financial services globally. In turn, this would impact other companies, sectors, and even the broader economy, which emphasizes the importance of the digital operational resilience of the financial sector.

6 Key Areas Covered By DORA

With 6 pillars relating to third-party security, DORA covers:

1. ICT risk management: Principles and requirements on ICT risk management framework
2. ICT third-party risk management: Monitoring third-party risk providers and key contractual provisions
3. Digital operational resilience testing: Basic and advanced testing
4. ICT-related incidents: General requirements and reporting of major ICT-related incidents to competent authorities
5. Information sharing: Exchange of information and intelligence on cyber threats
6. Oversight of critical third-party providers: Oversight framework for critical ICT third-party providers

Shared Assessments Standardized Information Gathering Questionnaire (SIG) Answers To DORA

DORA places a strong emphasis on managing risks associated with third-party service providers. By ensuring these third parties meet robust security and resilience standards, organizations can significantly enhance their overall operational resilience.

The Shared Assessments SIG Questionnaire is designed to evaluate various aspects of a third party’s risk profile, including:

• Cybersecurity: Assessing third party’s security controls and practices.
• Business Continuity: Evaluating third party’s ability to maintain operations during disruptions.
• Operational Resilience: Assessing third party’s capacity to withstand and recover from adverse events.

The SIG provides a consistent methodology for assessing third-party risks, helping organizations identify and prioritize potential vulnerabilities. By covering a wide range of risk categories, SIG can help organizations identify risks that might not be apparent through other assessment methods. The SIG can be used to gather evidence of third-party compliance with various regulatory requirements, including those outlined in DORA.

By leveraging the forthcoming Shared Assessments SIG 2025 as part of a broader third-party risk management program, organizations can strengthen their third-party risk management practices and make significant progress towards DORA compliance.

(Many of the questions in the current SIG are relevant to DORA – the 2024 SIG can provide valuable information for assessing a third party’s ability to contribute to a financial institution’s overall operational resilience.)